Archive for January, 2009

« Older Entries

closer look on HP c7000 Blade Center

Saturday, January 31st, 2009

Actually i want write this week something about security with the MSBA form Microsoft. After an hard week working with the new blade series from HP we do a closer look to the benefits of the c7000. Net time the security geek’s will be pleased. Fist we take a look to the question wath is an Blade Center? A blade center is an 12 U high rack mounted system. In this box you have 6 2700 Watt power supplies, 8 Multifunction network slots, 10 high performance fans and place for up to 32 dual Quad Core Server. the hole center can be managed from 2 Web sites. So its very cool for it professionals. 

Lets take a closer look at the server. there are 16 Bays for servers some enterprise servers need two slots, some "low power" dual quadimage core etch with 32 GB memory need for tow serves an half slot. In my case i am using 16 HP ProLiant BL460c Server Blade. Nice to know is that this slots can be used for Tape (DLT 5), storage (DAS) and PCI-Express Blades. but you lose an slot.

The network slots of the blade can be equipped wit Cisco, hp, Mc Data and Virtual connect bays. cowsing the best for your environment is an very hard and compleximage dissensions. The Virtual connect is an brand new technology from hp witch is "weder fisch noch Vogel". the best description it is an Virtual Patch panel. it can swishing, some layer 3 thinks like vLan tagging. The most important thin is it is able to du an dynamic LACP port Cannel, with is on HP English an Auto Port :-) .

so stop the geek fan boy stuff and lets talk about benefits / disappointment of Blade. in the most guid’s you find that the c7000 is internal complete redundant. this is simply an lie. The base board is one Part if its fail the hole c7000 goes DOWN !!!. HP say it hase an normal time to fial from 140 years. why i know to blade centers with the second baseboard i am  not so old :-) It has 10 fans slots, but to operate in redundant mode you need only 8. if one fails nothing happened. my guess is you only need in future wit 16 GHZ 12 qore CPU an 200 gb ram the 10 fans. so safe the money while ordering. not every mezziane card that are able to work in the slot make sense.

image 

thake a look to this schematics from hp product bulletin. With an half high blade (16 Blades per enclouser) you only able to use 2 slots. So if you buy an quad port NIC you only able to use 2. HP don’t tell you in the order process.  in Some cases blade are cheeper than normal serves but it depend on the configuration. in most case if you need fiber cannel HBA’s it’s an good chance to be on the cheeper side. Blade are an complex an modern technology witch requires intensive study for the IT professional’s.

at the least some nice videos from HP wit happy people from japan

 

Tags: , , ,
Posted in EDV & Admin Stuff | No Comments »

Windows Server Baseline Security

Friday, January 23rd, 2009

Part One. Today an in my next posts we want take a closer look at the security settings of an windows server. One good way to start is the "Security Configuration Wizard" later called as SCW. The wizard was patched in the operating system with SP1. In the release 2 of windows server 2003 you don’t need to patch it’s from start up SP2. To enable the feature just open the windows components dialog ("Add or Remove Programs" -> "Add/Remove Windows Components") and mark the check box. Now you need to insert the windows disk. In the "Administrative imageTools" you will find an new program "Security Configuration Wizard". Or just run "scw.exe" from the run. On the start up screen of the SCW there is the first important notice. The message indicates that the wizard will detect inbound ports that are being used by this server. This requires that all applications that use inbound ports be running before you run the wizard and create the security policy. In my lab the server will work as file and print server. To do it al little harder the lab Server runs also TeamSpeak witch is not an Microsoft Application . The teamspeak server imagewill listen on UDP Port  8767. After Clicking next, the wizard ask to crate an new policy. The next part is Interesting you are able to chose the Local or an remote server. My preferred option is to insta ll the SCW on each server and make local scans. Now we are able to check the version of the "Security DB". If you need an special service on many server’s witch is not listed edit the XML files in "%SystemRoot%\Security\msscw\policies%". More info about the XML file are located on google. After Skipping the window we are able to chose the server roles . In the next Dialog we are able to chose the client features like DHCP client, wins client …. and may more. Now microsoft want us to chose witch are the installed options of the server. The SCW now detects non windows services. in my lab he find the VM Tool’s :-) . Now we must approve the disabling of unused services. Please check the list very cheerfully. Now the big magic continues with the approval of TCP/ IP ports. Please check the list very cheerfully. Now one of the biggest image "lion’s den". In the registry the SCW will change settings for "SMB Security Signatures", "LDAP Signing", "Outbound Authentication Protocols" and "Inbound Authentication Protocols". with this settings enabled the server are harden to the most man-in-the-middle attacks an password cracking will be not so easy. The audit policy is a mixed blessing. Its very imported to find security issues in the logs. But study the logs will take much much time. So just enable the normal logging. Enter an Description an Save the Policy File. Now You Are able to apply  the policy now or later. Applying the policy will force an restart of the server !!

After applying the policy the TeamSpeak server stop’s working like except. But after editing the policy and again, insert the port 8767 all services works fine.

 

My conclusion of the Microsoft Security Configuration Wizard is: The tool is very easy to use and brings many good changes in short time. The use of SCW sold be carefully tested. But i’m strongly advise the use on all windows servers.

Tags: , , , , ,
Posted in EDV & Admin Stuff, Uncategorized | No Comments »

Windows 7

Saturday, January 17th, 2009

It’s new, It’s hot, It’s Seven and It’s in Beta. The new version of the Microsoft Client Operating System. Since the 10 of January the beat version can be obtain from  www.microsoft.com. So lets take a short look to the new philosopher’s stone of Microsoft. In this little Video you can see the Installation of Windows Seven. Take a special look to the Hard drive Partitioning and to the new Homegoupe feature.

 

After some exploring the new OS i’m feel fine because not everything Seven_bluescreenhas changed. hire some Print screen of my first Bluescreen on Seven. The Screen appeared when try to install the VMware Tools. After a reboot the install worked fine.

If you want to try your own Seven install an inplace upgrade should work from Vista Sp1. Or an new Installation. The Installation need 6,4 GB Diskspace.

Some nice things in the beta are Internet Explorer 8, Medaplayer, DirectX 11, an new dressing paint Gui and an Freaky Taskbar.

Generally the new design look’s very nice and the User Account Controll, is not so annoying like in Vista. my guess is that Microsoft is on the rigth way with Windows Seven build 7000

Tags: , ,
Posted in EDV & Admin Stuff, Uncategorized | No Comments »

W32time on Windows Server 2003

Sunday, January 11th, 2009

Time is the fire in which we all burn, so it say a wise man. But for IT Professionals the time is one of the essential’s things. It is very ugly when the system time of server’s across the Windows Domain are Different. CIFS Share’s will not Map, Printer don’t Print and Even the GPO Will not be Apply witch in Catastrophic Security Risks may end. To prevenntp_time[1]t this from happen some geeks invent the NTP (Network Time Protocol) which is implemented on Windows Server 2003 / Windows Server 2008 / Windows XP and  VISTA. The Windows 2k Line use SNTP (Simple Network Time Protocol) which is very different from the NTP. Don not tray this Article under Windows 2k. NTP is one of the Oldest Layer 7 Protocol for TCP/IP its funded in 1985 at the University of Delaware. Novell use NTP since Netware 3. So for all Netware People “it’s an Old Hut”.

 

The Key Idea of NTP is that you can have a Hierarchical Infrastructure of Time Servers. The Time Server are Categorisized in 17 ore 256 Stratum Classes. On MCSE ore Novell CNE Exame the use the version of ntp with 17 Stratum.

 

Wikipedia have a good expression of the Stratum Levels:

 

Stratum 0

These are devices such as atomic (caesium, rubidium) clocks, GPS clocks or other radio clocks. Stratum-0 devices are traditionally not attached to the network; instead they are locally connected to computers (e.g., via an RS-232 connection using a Pulse per second signal).

Stratum 1

These are computers attached to Stratum 0 devices. Normally they act as servers for timing requests from Stratum 2 servers via NTP. These computers are also referred to as time servers. Many Stratum 1 servers (for NTP v3 and earlier versions) may not actually be operating with Stratum 1 precision. As the NTP protocol is developed, it will become less and less possible for misleading Stratum 1 servers to run — instead the protocol would automatically bump the server Stratum level down accordingly.

Stratum 2

These are computers that send NTP requests to Stratum 1 servers. Normally a Stratum 2 computer will reference a number of Stratum 1 servers and use the NTP algorithm to gather the best data sample, dropping any Stratum 1 servers that seem obviously wrong. Stratum 2 computers will peer with other Stratum 2 computers to provide more stable and robust time for all devices in the peer group. Stratum 2 computers normally act as servers for Stratum 3 NTP requests.

Stratum 3

These computers employ exactly the same NTP functions of peering and data sampling as Stratum 2, and can themselves act as servers for lower strata, potentially up to 16 levels. NTP (depending on what version of NTP protocol in use) supports up to 256 strata.

 

Let us Focus on the Windows gap’s. Out of the Box the Following strata will be used.

 

Stratum           Description

 

1          Locally connected hardware clock (optional)

            Internet time server (optional)

 

2          PDC Emulator in forest root domain

 

3          Other domain controllers in forest root domain

            PDC Emulators in child domains

 

4          Workstations and member servers in forest root domain

            Other domain controllers in child domains

 

5          Workstations and member servers in child domains

 

Normally this will work very fine out of the box. But there are some Informants that have no Hardware Clock Locally Connected ore an Internet Connection to an Internet Time Server. In this case a registry change on the PDC in the forest root domain is required.

 

Go to HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

and edit the value of „ReliableTimeSource“ to „1“.

 

Go to HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

And edit the value of „LocalNTP“ to “1”

 

Restart the Time Service “start” -> “run” -> “net stop w32time && net start w32time.

 

To deploy the new time settings on the domain you must run “w32tm –s” from any Server and Client in the Domain except the time Server !!!

Tags: , ,
Posted in EDV & Admin Stuff | No Comments »

« Older Entries